[Secure-testing-team] Bug#560755: python-docutils: insecure use of temporary files
Jakub Wilk
ubanus at users.sf.net
Fri Dec 11 22:43:30 UTC 2009
Package: python-docutils
Version: 0.5-2
Severity: grave
Tags: security help
Justification: user security hole
Emacs major mode for reStructuredText (rst.el) uses temporary files
with predictable names in an insecure fashion:
| (defun rst-compile-pdf-preview ()
| "Convert the document to a PDF file and launch a preview program."
| (interactive)
| (let* ((tmp-filename "/tmp/out.pdf")
| (command (format "%s %s %s && %s %s"
| (cadr (assq 'pdf rst-compile-toolsets))
| buffer-file-name tmp-filename
| rst-pdf-program tmp-filename)))
| (start-process-shell-command "rst-pdf-preview" nil command)
| ;; Note: you could also use (compile command) to view the compilation
| ;; output.
| ))
[...]
| (defun rst-compile-slides-preview ()
| "Convert the document to an S5 slide presentation and launch a preview program."
| (interactive)
| (let* ((tmp-filename "/tmp/slides.html")
| (command (format "%s %s %s && %s %s"
| (cadr (assq 's5 rst-compile-toolsets))
| buffer-file-name tmp-filename
| rst-slides-program tmp-filename)))
| (start-process-shell-command "rst-slides-preview" nil command)
| ;; Note: you could also use (compile command) to view the compilation
| ;; output.
| ))
How to reproduce/exploit this bug
---------------------------------
Attacker:
$ ln -sf /path/to/file/the/attacker/want/to/overwrite /tmp/slides.html
Victim:
$ emacs foo.rst
M-x rst-mode
C-c 5
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20091211/56c10a6a/attachment.pgp>
More information about the Secure-testing-team
mailing list